01cf121efbb7ffd5b0a1519a7399a17bd30ebff6783dbb3511cc5bd83329cacb

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

details.txt .exe
Size

28KB
MD5

3018e99857f31a59e0777396ae634a8f
SHA1

7031cfe76ee7b2c925f2c00372fb9ef7f983f60c
SHA256

c8fffb2e737514c551b2d7bcaf8baa459564b059cab1a35a3cec4b3c270d4525
SHA512

4604c98f765be26d4a0a33f54cc777810cae7fab5153ee637b4fc8057492fd40de6fdf9d88dc4f7f34f45dd174bae54a2b39e0f0e5f1f5997820b9bccf47686a
SSDEEP

768:vWkliAnUQYkYKzqbjC5RqHjrYReyZx+l0oKriCPRDL:+ySsz6jGeyZx+l0TR

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV = "C:\\Windows\\FVProtect.exe"	details.txt .exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	details.txt .exe
File opened (read-only)	\??\j:	details.txt .exe
File opened (read-only)	\??\l:	details.txt .exe
File opened (read-only)	\??\s:	details.txt .exe
File opened (read-only)	\??\w:	details.txt .exe
File opened (read-only)	\??\g:	details.txt .exe
File opened (read-only)	\??\h:	details.txt .exe
File opened (read-only)	\??\r:	details.txt .exe
File opened (read-only)	\??\t:	details.txt .exe
File opened (read-only)	\??\u:	details.txt .exe
File opened (read-only)	\??\y:	details.txt .exe
File opened (read-only)	\??\z:	details.txt .exe
File opened (read-only)	\??\i:	details.txt .exe
File opened (read-only)	\??\o:	details.txt .exe
File opened (read-only)	\??\q:	details.txt .exe
File opened (read-only)	\??\v:	details.txt .exe
File opened (read-only)	\??\k:	details.txt .exe
File opened (read-only)	\??\m:	details.txt .exe
File opened (read-only)	\??\n:	details.txt .exe
File opened (read-only)	\??\p:	details.txt .exe
File opened (read-only)	\??\x:	details.txt .exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\program files\videolan\vlc\lua\http\js\Doom 3 release 2.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\Britney Spears Song text archive.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\Keygen 4 all new.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\E-Book Archive2.rtf.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\Lightwave 9 Update.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\Britney Spears Sexy archive.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\Britney Spears fuck.jpg.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\Cloning.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\dialogs\DivX 8.0 final.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\Britney Spears.jpg.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\Arnold Schwarzenegger.jpg.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\Visual Studio Net Crack all.exe	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\106.0.5249.119\Full album all.mp3.pif	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\meta-inf\Britney Spears fuck.jpg.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\3D Studio Max 6 3dsmax.exe	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\Britney Spears full album.mp3.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\Windows 2000 Sourcecode.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\js\Magix Video Deluxe 5 beta.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\Saddam Hussein.jpg.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\Britney Spears.mp3.exe	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\106.0.5249.119\American Idol.doc.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Magix Video Deluxe 5 beta.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\Microsoft Office 2003 Crack best.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\Best Matrix Screensaver new.scr	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\Harry Potter all e.book.doc.exe	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\106.0.5249.119\Britney Spears Sexy archive.doc.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\Ulead Keygen 2004.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\RFC compilation.doc.exe	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\106.0.5249.119\Windows XP crack.exe	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\106.0.5249.119\netsky source code.scr	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\Eminem Poster.jpg.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\Ringtones.mp3.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\The Sims 4 beta.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\dialogs\Doom 3 release 2.exe	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\Adobe Photoshop 10 full.exe	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\Internet Explorer 9 setup.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\Internet Explorer 9 setup.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\XXX hardcore pics.jpg.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\dialogs\Partitionsmagic 10 beta.exe	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\Full album all.mp3.pif	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\{8a69d345-d564-463c-aff1-a69d9e530f96}\DivX 8.0 final.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\Doom 3 release 2.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\dialogs\Arnold Schwarzenegger.jpg.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\Eminem.mp3.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\Full album all.mp3.pif	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\images\Partitionsmagic 10 beta.exe	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\Eminem Spears porn.jpg.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\Keygen 4 all new.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\Opera 11.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\images\Cracks & Warez Archiv.exe	details.txt .exe
File created	\??\c:\program files (x86)\google\update\download\Britney sex xxx.jpg.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\meta-inf\Ahead Nero 8.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\ui-lightness\images\Keygen 4 all new.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\Microsoft WinXP Crack full.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\images\Harry Potter all e.book.doc.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\images\Britney Spears cumshot.jpg.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\images\MS Service Pack 6.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Eminem Sexy archive.doc.exe	details.txt .exe
File created	\??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Adobe Photoshop 10 crack.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\js\Britney Spears blowjob.jpg.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\Norton Antivirus 2005 beta.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\css\Harry Potter 1-6 book.txt.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\images\3D Studio Max 6 3dsmax.exe	details.txt .exe
File created	\??\c:\program files\videolan\vlc\lua\http\requests\Windows 2000 Sourcecode.doc.exe	details.txt .exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\assembly\nativeimages_v4.0.30319_64\system.net.http\c2a702d703816f85cc229d96cb1b0c5f\Altkins Diet.doc.exe	details.txt .exe
File created	\??\c:\windows\serviceprofiles\localservice\downloads\Britney Spears.mp3.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c7fc311342884a05\Adobe Photoshop 10 full.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-iis-httpcachebinaries_31bf3856ad364e35_6.1.7600.16385_none_016ed81c41e420af\Ringtones.mp3.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d2857e8176c21a5b\RFC compilation.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-msieftp_31bf3856ad364e35_6.1.7601.17514_none_185c2e5bac23b0ff\Eminem Sexy archive.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-rpc-http_31bf3856ad364e35_6.1.7601.17514_none_a20056db9d9602b9\1001 Sex and more.rtf.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bb339349516522f4\Teen Porn 15.jpg.pif	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_01cc6dc48bd9c820\Magix Video Deluxe 5 beta.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-rpc-http_31bf3856ad364e35_6.1.7601.17514_none_a20056db9d9602b9\DivX 8.0 final.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\Eminem sex xxx.jpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-http.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9dba92a3ad3c9cba\WinXP eBook newest.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\msil_microsoft.web.manag..ftpclient.resources_31bf3856ad364e35_6.1.7601.17514_it-it_728c795f7e3add15\Saddam Hussein.jpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-http-api.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b1674d2a4c008727\Learn Programming 2004.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_40c56267be83fa44\Britney Spears full album.mp3.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-iis-ftpsvc_31bf3856ad364e35_6.1.7601.17514_none_a8911c01ac406d53\RFC compilation.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-http-api.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e1f37ad05dce0376\1001 Sex and more.rtf.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-rpc-http.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_f7a7c978712fc3fb\Cloning.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9e9fe35acb68e869\Ringtones.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_40c56267be83fa44\Windows XP crack.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d250db6576e90c00\Britney Spears cumshot.jpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e13b5b4b99b6c1a\RFC compilation.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-i..httploggingbinaries_31bf3856ad364e35_6.1.7600.16385_none_e2632ecc829028ce\Magix Video Deluxe 5 beta.exe	details.txt .exe
File created	\??\c:\windows\downloaded program files\1001 Sex and more.rtf.exe	details.txt .exe
File created	\??\c:\windows\winsxs\msil_microsoft.web.management.ftp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c764949d9e0e1f81\Windows 2003 crack.exe	details.txt .exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http\v4.0_4.0.0.0__b03f5f7f11d50a3a\Adobe Premiere 10.exe	details.txt .exe
File created	\??\c:\windows\winsxs\wow64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2994a88887e40e96\Saddam Hussein.jpg.exe	details.txt .exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.servicemodel.http\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft Office 2003 Crack best.exe	details.txt .exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.net.http.rtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\Eminem Poster.jpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-rpc-http.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b10eeefd36bb1ecf\Clone DVD 6.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-softpub-dll_31bf3856ad364e35_6.1.7600.16385_none_e36a5d61e040da19\3D Studio Max 6 3dsmax.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-rpc-http.resources_31bf3856ad364e35_6.1.7601.17514_de-de_ac34209c8f58b02f\Harry Potter 5.mpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_es-es_3d0cf71ea727ac84\Partitionsmagic 10 beta.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-rpc-http.resources_31bf3856ad364e35_6.1.7601.17514_it-it_e1cfbfbf4861a979\Ringtones.mp3.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-rpc-http.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_83f53ecc3b7cbb54\Visual Studio Net Crack all.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_fr-fr_dfc46d1d99f9c2e6\Full album all.mp3.pif	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_es-es_992b92a25f851dba\How to hack new.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-http.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9dba92a3ad3c9cba\Eminem blowjob.jpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\msil_microsoft.web.manag..ftpclient.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3abfc674c8436031\Harry Potter 5.mpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\msil_microsoft.web.management.ftp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_69e7678091072788\Eminem full album.mp3.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.1.7601.17514_none_f7b3a6eafb8df2de\WinXP eBook newest.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_de-de_9450c441b822af1a\Eminem blowjob.jpg.exe	details.txt .exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.servicemodel.http\Eminem Sexy archive.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-irftp_31bf3856ad364e35_6.1.7600.16385_none_b2af329397f29f60\Eminem Sexy archive.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-rpc-http.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_83f53ecc3b7cbb54\Harry Potter game.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5f499ae198e0c019\Teen Porn 15.jpg.pif	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5f499ae198e0c019\Best Matrix Screensaver new.scr	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-http.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6eea4a6ceff69d5a\Windows 2003 crack.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-irftp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92384f8bc335a75d\Britney Spears.mp3.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-msieftp_31bf3856ad364e35_6.1.7601.17514_none_747ac9df64812235\Harry Potter 1-6 book.txt.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bb339349516522f4\3D Studio Max 6 3dsmax.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b477ed13f43702eb\Eminem sex xxx.jpg.exe	details.txt .exe
File created	\??\c:\windows\downloaded program files\DivX 8.0 final.exe	details.txt .exe
File created	\??\c:\windows\winsxs\msil_microsoft.web.management.ftp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_69e7678091072788\E-Book Archive2.rtf.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.1.7601.17514_none_f7b3a6eafb8df2de\WinAmp 13 full.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-irftp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e9477992d4579b98\Matrix.mpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-softpub-dll_31bf3856ad364e35_6.1.7600.16385_none_3f88f8e5989e4b4f\Serials edition.txt.exe	details.txt .exe
File created	\??\c:\windows\winsxs\x86_microsoft-windows-nshhttp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8e19e3185626bf79\Kazaa new.exe	details.txt .exe
File created	\??\c:\windows\microsoft.net\assembly\gac_msil\system.servicemodel.http\v4.0_4.0.0.0__b03f5f7f11d50a3a\Britney Spears Song text archive.doc.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e13b5b4b99b6c1a\Screensaver2.scr	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-http.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9dba92a3ad3c9cba\XXX hardcore pics.jpg.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c830d42f42615860\Kazaa Lite 4.0 new.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-irftp_31bf3856ad364e35_6.1.7600.16385_none_b2af329397f29f60\DivX 8.0 final.exe	details.txt .exe
File created	\??\c:\windows\winsxs\amd64_microsoft-windows-ftp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6e13b5b4b99b6c1a\Visual Studio Net Crack all.exe	details.txt .exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	details.txt .exe

C:\Users\Admin\AppData\Local\Temp\details.txt .exe
"C:\Users\Admin\AppData\Local\Temp\details.txt .exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\Britney Spears porn.jpg.exe

Filesize
28KB

MD5
3018e99857f31a59e0777396ae634a8f

SHA1
7031cfe76ee7b2c925f2c00372fb9ef7f983f60c

SHA256
c8fffb2e737514c551b2d7bcaf8baa459564b059cab1a35a3cec4b3c270d4525

SHA512
4604c98f765be26d4a0a33f54cc777810cae7fab5153ee637b4fc8057492fd40de6fdf9d88dc4f7f34f45dd174bae54a2b39e0f0e5f1f5997820b9bccf47686a

Download Submit
memory/3024-3632-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3024-4-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3024-3158-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3024-3626-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3024-3628-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3024-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3024-3636-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3024-3640-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3024-3642-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3024-3644-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3024-3646-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3024-3648-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download
memory/3024-3650-0x0000000010000000-0x000000001002E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads